Should You Fire Your Firewall?

Gsurface writes "A lengthy article over at Flexbeta.net focuses on firewall applications and how well they perform as far as securing your system. Four typical firewall applications were tested including two routers, one being the Cisco 831 SOHO, which performed rather well. In total, nine security test were conducted to measure how well each firewall performed."

I don't appreciate the hardware very much...

[MrNerdHair]

Very interesting, although I'ven never been much for hardware firewalls. I grab an old machine, load it up with Slackware 9.1, and custom-configure the netfilter/iptables rules. I's a lot more versitile, and it's not just a firewall. It can be expanded to run every server known to man, such as ssh for remote control, or FreeS/WAN, for VPN.

Re:I don't appreciate the hardware very much...

[Creepy+Crawler]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

With your example, once that nice PCI bus gets saturated... Game Over. Too bad they dont make a 1 GBps card for the AGP slot

Re:I don't appreciate the hardware very much...

[nocomment]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

I agree with you, to a point. For a medium sized network like mine, where there are _no_ hubs except for the one at the firewall (so the snort box can listen) the switches will take care of keeping the bandwidth that the firewall actually hears to a minimum. The PCI bus can handle 127-ish MB/s nad 64 bit PCI can handle 508-ish. So unless you have a really high traffic system[1] this setup is not even noticable between a Cisco, or other heavy duty router.

[1] I have a really high traffic FTP server on my DMZ that is accessed a lot from systems on one of my NAT's and from the internet. What I did was move this system (OBSD) in _front_ of the firewall, enable PF on the FTP server to firewall it. Then I added a 2nd NIC to the FTP server so it plugs directly into the LAN. This makes sure that almost _no_ traffic from that system actaully hits the firewall. If I didn't do this, the PCI bus, like you say, would slow things to a crawl.

The Shields Up! Test

[Radical+Rad]

The D-Link router failed to stealth one port whiles the bare system shows how vulnerable we can be without a firewall.

But the port it shows as closed is 113 which is sometimes needed to authenticate to ftp or web sites. The authors of the review are assuming that the best firewall stealths absolutely everything. But if a product completely protects your system why wouldn't that be good enough? Same for ZoneAlarm4 not stealthing several ports under Advanced Port Scanning.

I like the way they bring up outbound filtering though. Most "personal" firewalls don't do anything with this.

Re:The Shields Up! Test

[Micro$will]

I'm not sure about the DI-604, but I had an old DI-704 that would stealth 113 given the proper tweaks. I'm also surprised the 604 didn't show up to ICMP scans since I had to manually set mine to not reply.

The Zone Alarm results are confusing too. I just installed the free version on a friends machine, but had to disable it temporarily because it blocked the outbound request to access my file server. I assume there are many options you can configure to secure any hardware or software firewall, but you need to have the knowledge and patience to sit down for a day, preferably within a protected network, set them up and hammer on them with nmap.

Re:The Shields Up! Test

[orthogonal]

For reference port 113 is the 'ident' identification protocol.

For reference, it's used by sendmail.

Before learning this firewall users who read their logs (me!) will have a paranoia induced moment or two when they notice their host/ISP apparently scanning their ports, and will be even more bemused when they notice the scanning follows a regular period matching the period of their email client's polling.

Fun stuff!

TooLeaky test is BS

[VarmintCong]

I decided to try some of these tests myself. When testing using TooLeaky, I got a notification that it sent the information to GRC.com and recieved information from GRC.com, even when I disabled my internet connection.

Sounds like BS to me.

My hw FW blocks outbound!

[redelm]

I use a Siemens 2602. I could easily set up a Slack9.1 box to do the same thing, but the electricity consumption, noise, space and admin aren't worth it.

Blocking outbound is an important feature. My kids run MS-Win boxen, and these are sure to get trojanned. One of the nastiest rather quietly acts as a spam relay. AOL (hardly authoritative) has claimed 1/3 of spam inbound is from DHCP broadband. So I'm a responsible netadmin and block outbound 25 from their machines. They get their mail via yahoo anyways.

Now, if my son needs grounding (he hasn't), I may need to find out the AIM ports to block.

ShieldsUp doesn't go far enough to test servers.

[Futurepower(R)]

He wasn't being careful in what he said, probably. There is nothing wrong with ShieldsUp! at GRC.com. (Scroll down to ShieldsUp, which cannot be linked directly.)

However, ShieldsUp doesn't go far enough in testing for vulnerabilities. ShieldsUp is perfect for testing systems or LANs that have no servers, because you are only trying to verify that there is no response at a particular port. However, if there is a server, other attacks than those of ShieldsUp should be tried.

Re:ShieldsUp doesn't go far enough to test servers

[delus10n0]

Check out http://www.grcsucks.com/ for info debunking GRC/ShieldsUp/Steve Gibson. He's a quack.

"An In-depth Look at SMALL SYSTEM Firewalls"

[Futurepower(R)]

This is just one more case where an excellent area of inquiry is ruined by the wording of a Slashdot article, and by people trying to show how much they know without saying anything that could actually be used by someone else.

The article at Flexbeta should not be worded, "An In-depth Look at Firewalls", it should be "An In-depth Look at Small System Firewalls". Most single computers or small LANs have no servers.

The parent post is considering an important issue for systems of 100 users. Systems that large are far out of the scope of the Flexbeta article.

We need two Slashdot articles on firewalls, one for small systems, and one for more complex LANS.

The Flexbeta article considered only Linksys (now owned by Cisco) and D-Link small system hardware firewalls. It did not consider Airlink Plus and Netgear.

I got burned with poor technical support from Cisco. Also, Cisco stopped supporting its 675 router. I don't want to be involved with Cisco again, so Linksys is out, especially because of the confused Linksys web site. Cisco has an enormous conflict of interest. If Linksys sells good firewalls, it will mean Cisco sells fewer.

So, which is the better hardware firewall, D-Link DI-604, or the Netgear RP614?

Overblown language, but ShieldsUp tests ports.

[Futurepower(R)]

While Steve Gibson is known for overblown language, his ShieldsUp does in fact test for open ports.

how good is good enough

[tanguyr]

One of the questions that this discussion doesn't take into account is just how good does a personal firewall on a home computer have to be in order to be effective?

It seems to me that you have to take the "threat level" into account: are you looking for a solution to keep you one hundred percent safe in the face of a dedicated attack by an expert opponent or do you just want to deter random port scanning dorks from malasia? If you're not a convenient victim and your neighbor runs vanilla windows XP, doesn't have a firewall, doesn't apply security patches and, hey while we're at it, surfs porn from dodgy russian sites all day... chances are you're safe enough... for now. /t